Follow

Troubleshooting: Reviewing all incoming syslog data

Question:
syslog data rejected by rules will not be displayed in the logs by default

Answer:
The rules source file has a tag <logunmatched>. This needs to be set to true.

NOTE: When troubleshooting is completed, please ensure that <logunmatched> is set back to false

Details:
* It is recommended that changes be made to the file in TRAVERSE_HOME\plugin\messages
* Review if TRAVERSE_HOME\plugin\messages\00_src_syslogd_default.xml exists
* If it does not, copy TRAVERSE_HOME\etc\messages\syslog\00_src_syslogd_default.xml to TRAVERSE_HOME\plugin\messages\00_src_syslogd_default.xml
* Edit TRAVERSE_HOME\plugin\messages\00_src_syslogd_default.xml
*  Change the entry
    <logunmatched>false</logunmatched>
   to
     <logunmatched>true</logunmatched>
* save the file
* reload the configuration as indicated in Deploying a new message rule file
* Issue new traps and review TRAVERSE_HOME\logs\messages.log

Rollback:
Once troubleshooting is completed

* Edit TRAVERSE_HOME\plugin\messages\00_src_syslogd_default.xml
*  Change the entry
    <logunmatched>true</logunmatched>
   to
     <logunmatched>false</logunmatched>
* save the file
* reload the configuration as indicated in Deploying a new message rule file
* Issue new traps and ensure rejected entries do not show in TRAVERSE_HOME\logs\messages.log
* If the file TRAVERSE_HOME\plugin\messages\00_src_syslogd_default.xml was created explicitly for this article, you may delete it. If it has other customizations, you may retain it.

NOTE: this article applies to SNMP traps and Windows events as well. The corresponding src file must be used.
For traps, replace 00_src_syslogd_default.xml in all the paths above with  00_src_snmp_trap.xml
For Windows events, replace 00_src_syslogd_default.xml in all the paths above with 00_src_winevt_log.xml

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.